November 30, 2012
To learn more about Lathrop Gage, click here ›
Private Guide: OCR Issues De-Identification Guidelines for HIPAA Privacy Rule Compliance
The growing adoption of health information technologies in the United States quickens their potential to enable beneficial studies that combine large, complex data sets from various sources. De-identification – the process by which identifiers are removed from the health information – diminishes privacy risks to individuals and thereby supports the secondary use of data for comparative effectiveness studies, policy assessment, life sciences research, and other endeavors.
This week, the Office of Civil Rights (OCR) released guidance regarding methods for de-identification of protected health information (PHI) in accordance with the HIPAA Privacy Rule. The guidance clarifies and responds to questions regarding the different methods that can be used to satisfy the Privacy Rule’s de-identification standard: expert determination and safe harbor.
The Privacy Rule was intended to protect individually identifiable health information through allowing only specific uses and disclosures of PHI provided by the Privacy Rule, or as authorized by the individual subject of the information. However, acknowledging the potential utility of health information even for an unidentifiable individual, §164.502(d) of the Privacy Rule permits a covered entity or its business associate to create information that is not individually identifiable by allowing for de-identification through the standards and implementation specifications in §164.514(a)-(b). These provisions allow the entity to use and disclose information that neither identifies nor provides a reasonable basis to identify an individual.
The ARRA of 2009 mandated that the Department of Health and Human Services issue guidance regarding the de-identification of PHI. As a result, OCR gathered research and opinions regarding de-identification approaches, best practices for implementation and management of the current de-identification standard and potential changes to address policy concerns. OCR sought input from experts with practical, technical and policy experience to assist with the creation of guidance materials by conducting an in-person workshop consisting of multiple panel sessions that addressed specific topics related to de-identification procedures and policies. This guidance is meant to assist covered entities in understanding what de-identification is, the general process by which de-identified information is produced, and the options available for de-identifying PHI.
The Privacy Rule puts forth two de-identification methods: (1) a formal determination by a qualified expert (“Expert Method”); and (2) the removal of certain individual identifiers in addition to a lack of actual knowledge by the covered entity that the remaining information could be used alone or in combination with other information to identify the individual (“Safe Harbor Method”). The Privacy Rule does not restrict the use or disclosure of health information that has been properly de-identified through one of these methods.
Safe Harbor Method
Additionally, even after the removal of all such identifiers, a covered entity or business associate has not achieved de-identification if it has actual knowledge of the fact that the remaining information could still be used, alone or in combination with other reasonably available information, to identify the individual(s) who are the subjects of such information. In this context, actual knowledge means clear and direct knowledge that the remaining information could be used, alone or in combination with other reasonably available information, to identify the individuals who are the subjects of the information.
What It Means
OCR’s newly provided guidance on the de-identification of health information provides critical guidance to covered entities and business associates who are often asked by non-covered entities and non-business associates (“Outside Entities”) to disclose health information in connection with the development of technology or products by such Outside Entities. For example, if a hospital is asked by a disease management company to disclose health information about the patients it has treated for a particular condition to assist the disease management company in developing a new protocol or clinical pathway for the treatment/management of such condition, the new guidance provides explicit information about the steps the hospital can take to properly de-identify the health information in question thereby facilitating the disclosure of such health information to the disease management company. In doing so, this guidance provides greater certainty for covered entities and business associates interested in
providing this type of health information to Outside Entities and, as a result, greater availability of health information for Outside Entities.
What You Should Do
If you have any questions about how these newly issued guidelines might affect your company, please contact your Lathrop Gage attorney or any of the attorneys listed above.
© 2019 LATHROP GAGE LLP, ALL RIGHTS RESERVEDCLICK HERE TO UNSUBSCRIBE | POWERED BY FIRMSEEK
Lathrop Gage LLP, 2345 Grand Blvd., Suite 2200, Kansas City, MO 64108.
The information contained in this document is provided to alert you to legal developments and should not be considered legal advice. Specific questions about how this information affects your particular situation should be addressed to one of the individuals listed. No representations or warranties are made with respect to this information, including, without limitation, as to its completeness, timeliness, or accuracy, and Lathrop Gage shall not be liable for any decision made in connection with the information. The choice of a lawyer is an important decision and should not be based solely on advertisements.
If you do not wish to receive any further communication from Lathrop Gage, please send an email to firstname.lastname@example.org with the subject UNSUBSCRIBE.